Beginning in the Fall of 2020, defense contractors face the very real threat of losing business if they are non-compliant with the newly released Cybersecurity Maturity Model Certification (CMMC) standard.

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC), which was released on January 31st, 2020, is a unified standard for implementing cybersecurity across the Department of Defense (DoD) and includes over 300,000 companies in the defense industrial base. This new measure is the DoD’s response to the compromises of sensitive defense information to ensure that information is securely protected. Before, contractors were personally responsible for implementing, monitoring, and certifying the security of their information in technology systems as well as being responsible for the security of the DoD information that was also stored on these systems. While contractors will still be responsible for implementing these cybersecurity requirements, the CMMC now requires that a third party assess the contractor’s compliance with the new mandatory practices, procedures, and capabilities to adapt and keep up with the ever-evolving cyber threats.

Framework for CMMC:

There are 5 certifications levels of the CMMC that will reflect the level of maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. These levels continue to build upon the prior level’s technical requirements and require compliance with the previous level’s requirements and institutionalization of additional processes to implement specific cybersecurity-based practices. Here is an overview of each level:

• Level One: Basic cyber security practices (ie: changing passwords regularly, using antivirus software, etc.) must be performed by companies to protect Federal Contract Information.

• Level Two: Each company must document intermediate cyber security practices to protect any Controlled Unclassified Information (CUI) through using the US Department of Commerce National Institute of Standards and Technology’s (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements.

• Level Three: A company must have an institutionalized management plan to ensure adequate cyber security practices to safeguard CUI. All of the NIST 800-171 r2 security requirements should be in the plan as well as other additional standards.

• Level Four: A process should be implemented in order to review and measure the effectiveness of practices as well as to establish additional enhanced practices to detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs).

• Level Five: A company must also have standardized and optimized processes across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.

Who Must Comply and WHEN?

Every DoD contractor will have to obtain a CMMC certification once available. This includes small business, commercial item contractors, and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will directly work with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies’ CMMC levels. It is predicted that minimum certification requirements will begin to be implemented as soon as summer of 2020 with select requests proposals (RFPs) in September 2020.

How to Prepare:

• Immediately learn the CMMC’s technical requirements.

• Prepare for certification and the long-term cybersecurity agility

• Being clearly documenting practices and procedures with requirements that already comply with CMMC practices or processes.

• Plan for and implement further procedures and practices to obtain the highest certification level possible

• Follow the development of assessment challenges

• Check out The Office of the Under Secretary of Defense for Acquisition & Sustainment FAQ: CMMC FAQ

It is exceedingly important that a company evaluate their practices and procedures as soon as possible so that they can be prepared for the transition and the mandatory contract requirements.

For more information on CMMC and to download the Executive Brief Cybersecurity Maturity Model Certification (CMMC) for Aerospace and Defense, please click here or complete the form below for instant download.